Apache的科尔多瓦（PhoneGap的）：是JSONP需要跨站点脚本？ [英] Apache Cordova (Phonegap): is jsonp needed for cross-site scripting?

问题描述

我刚刚开始使用Apache科尔多瓦。我有一个库，使呼叫（通过AJAX）到SOAP服务器。

I've just started using Apache Cordova. I have an library that makes calls (via ajax) to a soap server.

当我在我的铬本地机器上运行这些，我试图打电话到该服务时获得跨站点脚本错误。

When I run these on my local machine in chrome, I get cross site scripting errors when trying to make calls to the service.

当我运行使用科尔多瓦浏览器中的iOS模拟器完全相同的code，脚本似乎击中了服务器精细和响应数据接收正常。

When I run the same exact code using the Cordova browser in the iOS emulator, the scripts seem to hit the server fine and the response data is received properly.

所以我的问题是如何能够使无跨站点脚本的权限和放这些请求的科尔多瓦浏览器; JSONP？有一件事我注意到的是，当请求从iOS的发送，没有产地的头。难道这使得科尔多瓦浏览器悄悄绕过跨站点脚本要求？是否有可能在设备上的node.js服务器（我相信这是科尔多瓦的工作原理）操纵头允许这样做？

So my question is how is the Cordova browser able to make these requests without cross-site scripting permissions & JSONP ? One thing I noticed is that when the request is sent from iOS, there is no "Origin" header. Is this allowing the Cordova browser to stealthily circumvent cross-site scripting requirements? Is it possible that the node.js server on the device (I believe this is how Cordova works) is manipulating the headers to allow this?

我想避免使跨站点脚本在我的网站，所以我觉得这个功能是不错，但我不知道，如果它是一个安全漏洞，以及。

I'd like to avoid enabling cross-site scripting on my site so I think this "feature" is nice, but I'm wondering if it's a security hole as well.

任何人有这方面的经验？

Anyone have experience with this?

推荐答案

在默认情况下，PhoneGap的允许跨域请求。如果你担心安全，你可以限制这种使用域名白名单。如果你正在使用jQuery，设置 $ support.cors = TRUE; 允许跨域请求

By default, Phonegap allows cross domain requests. You can restrict this using domain whitelisting if you're worried about security. If you're using jQuery, set $.support.cors = true; to allow cross domain requests.

此页面具有跨站点脚本安全的崩溃PhoneGap的。

This page has a breakdown of cross site scripting security in Phonegap.

顺便说一句，有一个巧妙的技巧，你可以用谷歌Chrome浏览器使用，允许跨站点脚本，因此测试你的PhoneGap应用程序中的纹波仿真器，例如：设置命令行参数 - 关闭在弹出的快捷Chrome浏览器-Web安全，例如：

By the way, there's a neat trick you can use with Google Chrome to allow cross site scripting and therefore test your Phonegap app in the Ripple emulator, for example: set the command line parameter --disable-web-security in the shortcut to Chrome, e.g.

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security

这篇关于Apache的科尔多瓦（PhoneGap的）：是JSONP需要跨站点脚本？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！